'Only Chromium-based browser I've tested that behaves this way': Microsoft Edge has a huge password vulnerability researcher claims

Microsoft Edge apparently saves your passwords in its memory as cleartext according to a Norwegian cybersecurity researcher. This matters because it means a malicious actor could see all of your passwords if they gain access to your PC.

The researcher, Tom Jøran Sønstebyseter Rønning (spotted by our friends at PC Gamer), posted a thread on X explaining how the browser decrypts "every credential at startup" and then keeps them in process memory. It even happens for sites that you don't visit that session.

"Edge is the only Chromium‑based browser I’ve tested that behaves this way," Rønning said.

To be clear, this isn't available for anyone to just stumble across. You need some know-how and administrative access to the terminal server, already a huge breach. Once that is done, a bad actor "can access the memory of all logged‑on user processes."

A person could have administrative access on one account and then use that access to compromise passwords for other logged-in users too.

Yes, someone with admin rights can wreak havoc on any computer they have access to, but you typically need passwords to access password managers or two-factor authentication. Cleartext means that passwords are more visible and in a shared environment, that would be a treasure trove for a bad actor.

"By design"

Rønning posted that he disclosed this flaw to Microsoft and was told that the behavior is "by design." And it appears to be known.

In a related thread, X user LopezLuccio666 responded that they reported the flaw in September of 2025. According to a screencap they posted, the Microsoft Security Response Center (MSRC) deemed the flaw "not a vulnerability and no security boundary being crossed."

The message says that the ability to read Edge memory requires privileges "the same or greater."

Microsoft has a password manager security FAQ that does sort of address the issue. "Even if an attacker has admin rights or offline access and can get to the locally stored data, the system is designed to prevent the attacker from getting the plaintext passwords of a user who isn't logged in."

This doesn't do anything for users that are logged in though.

Per Rønning and others' research, the system may not be doing enough to prevent attackers from being able to access the cleartext passwords.

Tom's Guide has reached out to Microsoft for clarity on this flaw and how Edge prevents attackers from seeing the passwords. We will update this article if and when the company responds.

In the meantime though, we recommend using one of the best password managers instead of storing them in Edge or any other browser for that matter.

Follow Tom's Guide on Google News and add us as a preferred source to get our up-to-date news, analysis, and reviews in your feeds. Subscribe to Tom's Guide on YouTube and follow us on TikTok.

More from Tom's Guide

• Microsoft is hiding Windows 11's 'eyes' — here's how to find Copilot Vision (and fully delete it)
• Microsoft reportedly redesigning Start Menu in Windows 11 after actually listening to user complaints
• Microsoft quietly hiked prices on all its Surface laptops — it's now cheaper to buy a MacBook Air